A student loan company has settled with the Federal Trade Commission (FTC) over charges it did not offer reliable security for its customers' personal information.
San Diego-based Goal Financial has experienced a number of data-security shortfalls, according to the FTC, including the unauthorized transfer of more than 7,000 files of consumer information to third parties and the sale of surplus hard drives that still contained the personal records of 34,000 consumers.
The FTC said in a Tuesday statement that Goal Financial violated agency rules that require organizations to assess the risks related to data handling, restrict access to certain information, deploy a comprehensive information security program, provide employee training and ensure partners comply with data-protection rules.
In addition, the loan company broke FTC privacy regulations by offering a “false and misleading” privacy policy that incorrectly told customers their data was being protected through “reasonable and appropriate measures.”
Richard Taylor, who is listed on the company website as Goal Financial's chief marketing officer, told SCMagazineUS.com on Thursday that he is “vaguely” connected with the company and unable to comment on the settlement.
A call to Goal Financial's main customer service number yielded an answering machine, and, according to the site, the company is no longer accepting loan applications due to the College Cost Reduction and Access Act of 2007.
Under a consent order with the FTC, Goal Financial must implement an IT security program to include administrative, technical and physical safeguards. In addition, the company is required to undergo a security audit every two years for the next decade.
According to the FTC, this is the 17th time the agency has pursued charges against a company alleged to have lax information security measures in place.
San Diego-based Goal Financial has experienced a number of data-security shortfalls, according to the FTC, including the unauthorized transfer of more than 7,000 files of consumer information to third parties and the sale of surplus hard drives that still contained the personal records of 34,000 consumers.
The FTC said in a Tuesday statement that Goal Financial violated agency rules that require organizations to assess the risks related to data handling, restrict access to certain information, deploy a comprehensive information security program, provide employee training and ensure partners comply with data-protection rules.
In addition, the loan company broke FTC privacy regulations by offering a “false and misleading” privacy policy that incorrectly told customers their data was being protected through “reasonable and appropriate measures.”
Richard Taylor, who is listed on the company website as Goal Financial's chief marketing officer, told SCMagazineUS.com on Thursday that he is “vaguely” connected with the company and unable to comment on the settlement.
A call to Goal Financial's main customer service number yielded an answering machine, and, according to the site, the company is no longer accepting loan applications due to the College Cost Reduction and Access Act of 2007.
Under a consent order with the FTC, Goal Financial must implement an IT security program to include administrative, technical and physical safeguards. In addition, the company is required to undergo a security audit every two years for the next decade.
According to the FTC, this is the 17th time the agency has pursued charges against a company alleged to have lax information security measures in place.
